The vulnerability is especially troublesome for networks operated by large corporations or governmental agencies that have machines using GeForce graphics cards. Attackers who gain low-privileged access to a network can use the vulnerability to gain unfettered access to connected computers. Untrusted users could also use it to escalate privileges available on machines they have access to. The attack reportedly worked on fully updated computers running Microsoft's Windows 7 operating system.

The update fixes a variety of other bugs as well. Full release notes are available here.

According to the linked Security Week article the attacker simply needs to be able to run arbitrary code as an unprivileged user to be able to exploit this. The examples given are enterprise and domain-focused, but unless I'm missing something, given the number of exploits we've seen in other common third-party software in recent years that allow an attacker to execute arbitrary code when a user does something as innocent as viewing a web page, it seems like this should be a fairly high priority for home users to patch as well.

So, technically, can someone explain how an GPU handling output processing (not CPU responsibilities) can reach back up the data flow and impact the core computer, or is this exploit limited to those computers that use GPUs for central processing?

It seems whenever i installed a non-OEM graphics card driver on my older laptops i had problems.Example: Whenever i put my Toshiba in standby and woke it up again, the graphics manager would crash, the screen would flash and eventually the computer would shut itself down. Not fun.

Should i take a chance and install the update on my Lenovo laptop (the driver i have now is from march 2012)?

What procedure is considered kosher these days for updating drivers? If I'm running the immediate predecessor version (310.70 I believe), do I need to uninstall or do any other sort of cleaning before, or just run the installer for the new driver?

What procedure is considered kosher these days for updating drivers? If I'm running the immediate predecessor version (310.70 I believe), do I need to uninstall or do any other sort of cleaning before, or just run the installer for the new driver?

NVIDIA provides a clean install option when you run their installer. It's worked for me so far; just choose custom options. Remember, though, this will purge any per-application settings you may have made through the NVIDIA control panel.

By the way, one very good option to uncheck, IMHO, is their auto-update system. The piece-of-crap creates an additional Windows user account without mentioning a damn thing. I caught this on my client's computers a while back. The business-targeted drivers (Quadro) don't seem to do this, but the consumer (GeForce) ones do.

What procedure is considered kosher these days for updating drivers? If I'm running the immediate predecessor version (310.70 I believe), do I need to uninstall or do any other sort of cleaning before, or just run the installer for the new driver?

NVIDIA provides a clean install option when you run their installer. It's worked for me so far; just choose custom options. Remember, though, this will purge any per-application settings you may have made through the NVIDIA control panel.

By the way, one very good option to uncheck, IMHO, is their auto-update system. The piece-of-crap creates an additional Windows user account without mentioning a damn thing. I caught this on my client's computers a while back. The business-targeted drivers (Quadro) don't seem to do this, but the consumer (GeForce) ones do.

What procedure is considered kosher these days for updating drivers? If I'm running the immediate predecessor version (310.70 I believe), do I need to uninstall or do any other sort of cleaning before, or just run the installer for the new driver?

NVIDIA provides a clean install option when you run their installer. It's worked for me so far; just choose custom options. Remember, though, this will purge any per-application settings you may have made through the NVIDIA control panel.

By the way, one very good option to uncheck, IMHO, is their auto-update system. The piece-of-crap creates an additional Windows user account without mentioning a damn thing. I caught this on my client's computers a while back. The business-targeted drivers (Quadro) don't seem to do this, but the consumer (GeForce) ones do.

What do you mean it creates an additional user account?

If you install the GeForce drivers with default options, you'll see that it creates an "Updatus" user in your system. There's a user profile in C:\Users named as such. Freaked me out the first time I saw it.

If you install the GeForce drivers with default options, you'll see that it creates an "Updatus" user in your system. There's a user profile in C:\Users named as such. Freaked me out the first time I saw it.

Thanks OTD Razor.

Also, sometimes this user account leaves a registry entry under WindowsNT\ProfileList that will brick your system if it's present when you sysprep.

These kinds of issues make WebGL security concerns seem quite legitimate to me. Injecting code directly into the hardware from a browser.. yikes.

If you're viewing Ars in a modern browser and you're not running noscript, I have some bad news for you about how the Javascript in this page runs...

This vulnerability would not have been accessible from WebGL. You'd need to run arbitrary code, so you'd have much better luck with a PinkiePie-style exploit...or just convince people to install your browser bar. In spite of years of warnings and fixing their computers, after removing new ones *again* this Christmas, I know my parents would likely fall for it.

When I was reading about the exploit here (removed in the meantime), I was under impression that the exploit author demonstrated it by running it with an account which already had admin rights. It would be nice if there were more details to it, not just "there was a bug, now it is patched".

So nVidia has a security bug, AMD has a performance bug, and Intel has a "it just doesn't work"-bug. Does anyone make GPU drivers that actually work correctly?

Stop using AMD (ATI) cards.

So given the options of having a minor performance issue, allowing attackers complete system access and arbitrary privileges, or simply being non-functional you're telling people to avoid the minor performance drop?

So, technically, can someone explain how an GPU handling output processing (not CPU responsibilities) can reach back up the data flow and impact the core computer, or is this exploit limited to those computers that use GPUs for central processing?

The flaw is in the driver, which runs in Windows on the CPU, not the GPU.

flunk wrote:

Not quite that bad seeing as it won't work behind a NAT firewall. Most home users will be safe from this.

Where did you see something indicating that NAT would have anything to do with this? It sounds like the exploit just requires the execution of arbitrary code and there have been plenty of holes in things like all common web browsers, Flash, Java, and Adobe Reader which enable that.

If you install the GeForce drivers with default options, you'll see that it creates an "Updatus" user in your system. There's a user profile in C:\Users named as such. Freaked me out the first time I saw it.

Thanks OTD Razor.

Also, sometimes this user account leaves a registry entry under WindowsNT\ProfileList that will brick your system if it's present when you sysprep.

Holy crap, that's news to me! Thanks for the info, I'll watch out for that one.

So, technically, can someone explain how an GPU handling output processing (not CPU responsibilities) can reach back up the data flow and impact the core computer, or is this exploit limited to those computers that use GPUs for central processing?

Easy; modern GPUs are basically specialised CPUs hanging off a PCIe data bus. They're even able to access main memory. So if you can upload some code to the GPU you can basically treat it as a CPU - poke around in kernel memory, pull out data, whatever.

Both OpenGL and Direct3D have special-purpose languages that clients can use to write code that runs on the GPU; this means that the shader compilers in the driver are security critical code - which is what makes WebGL a bit scary. Furthermore, if the driver accidentally allows direct access to some of the hardware then you can do arbitrarily nasty things. Without having read details of the flaw, I'd guess it was something along these lines. The nVidia linux drivers had a similar hole for a while.

What procedure is considered kosher these days for updating drivers? If I'm running the immediate predecessor version (310.70 I believe), do I need to uninstall or do any other sort of cleaning before, or just run the installer for the new driver?

NVIDIA provides a clean install option when you run their installer. It's worked for me so far; just choose custom options. Remember, though, this will purge any per-application settings you may have made through the NVIDIA control panel.

By the way, one very good option to uncheck, IMHO, is their auto-update system. The piece-of-crap creates an additional Windows user account without mentioning a damn thing. I caught this on my client's computers a while back. The business-targeted drivers (Quadro) don't seem to do this, but the consumer (GeForce) ones do.

What do you mean it creates an additional user account?

If you install the GeForce drivers with default options, you'll see that it creates an "Updatus" user in your system. There's a user profile in C:\Users named as such. Freaked me out the first time I saw it.

Thanks OTD Razor.

So that's where that user came from. I assumed it'd been created as a back door by my system builder (and took appropriate "steps").

Yes, I'm lazy and I order my systems rather than making a total mess myself.

So, technically, can someone explain how an GPU handling output processing (not CPU responsibilities) can reach back up the data flow and impact the core computer, or is this exploit limited to those computers that use GPUs for central processing?

Easy; modern GPUs are basically specialised CPUs hanging off a PCIe data bus. They're even able to access main memory. So if you can upload some code to the GPU you can basically treat it as a CPU - poke around in kernel memory, pull out data, whatever.

Both OpenGL and Direct3D have special-purpose languages that clients can use to write code that runs on the GPU; this means that the shader compilers in the driver are security critical code - which is what makes WebGL a bit scary. Furthermore, if the driver accidentally allows direct access to some of the hardware then you can do arbitrarily nasty things. Without having read details of the flaw, I'd guess it was something along these lines. The nVidia linux drivers had a similar hole for a while.

Please actually read about exploits before "guessing" at their root cause. Shaders are not magic programs that can do anything they want. They are fairly constrained execution kernels with well defined inputs and outputs, offering a fairly small attack surface. Both the Linux exploit and this one happened in the driver code, fully on the CPU side of things, and which will likely continue to be the source of any future graphics exploits. The shader compiler is a far more probable source of exploits than executing the shaders themselves.

The Linux exploit occurred because nvidia failed to prevent user-land code from changing the memory-to-VGA-window mapping, and this exploit occurred because they left a memmove operation available to anyone with machine access, regardless of privilege level. Neither would have been exploitable from a browser without an additional series of exploits to execute arbitrary code and to break out of any browser-process sandboxing used, at which point your machine was probably owned anyways.

Glad I unchecked the auto-update box in the first place, then. For me, it goes back to a few PCs ago, a 150 MHz Pentium (with 128MB RAM and 2MB VRAM) I had up into '07 - I had it stripped as bare as it could go, given that it barely had enough horsepower to do much of anything on a good day.

Now, I've got a modern PC, but it drives me nuts that every piece of software I have wants to 'help me out' by checking for updates. Thanks, ImgBurn, but I think the version I'm on is just fine. I appreciate Adobe keeping Flash patched, but once an hour 24 hours a day seems a bit much.

Well, off to download yet another 150+ MB driver package from Nvidia, I suppose.

So the real issue is there are holes in the driver management layer in windows 7 that allows a driver mode to take over other subsystems?

Graphics drivers (as per almost all common OS) run with at least some ring0 components -> can do what the hell they like to the hardware and therefore the OS. In any case, I wouldn't be at all surprised to find that GPUs could be used to break out of a *hypervisor* if there was no IOMMU support in the chipset.